First Talks of TROOPERS19 Accepted!

TROOPERS18 was the best year ever (did you check our archives?) and it will be challenging to do better… However, we accept the challenge!

The trainings and talks were from high quality and choices were difficult to make… We hope you will enjoy reading these little teasers!

Follow us on Twitter (@WEareTROOPERS) for more information and do not hesitate to use our hashtag #TR19 when you have questions or remarks about TROOPERS19!

With that being said, we are excited to introduce the first official five talks of TROOPERS19! Continue reading “First Talks of TROOPERS19 Accepted!”

Continue reading

The Dog Whisperer’s Handbook

Generally speaking, I’m more of a Cat type of guy, but I have to say I really love BloodHound. And if you do too, you are in for a treat…
Last week, the ERNW Insight Active Directory Security Summit took place in Heidelberg. (More Info)
For this occasion, @Enno_Insinuator asked me if I would like to deliver a BloodHound Workshop, and of course I accepted the challenge…

Continue reading “The Dog Whisperer’s Handbook”

Continue reading

Active Directory Security Summit 2018 – Slides Online

on Tuesday, of November we realized our second AD security summit with the title: “Active Directory Security: On-Prem-Security, Secure Extension into the Cloud & Secure Operations” in Heidelberg. First, we had three talks: the first one about “Active Directory Core Security Principles & Best Practices” covering hybrid AD and AD Trusts as well (by Friedwart Kuhn & Heinrich Wiederkehr from ERNW), the second one a case study about the implementation of an ESAE Forest in a big insurance company (by Fabian Böhm from Teal Technology Consulting) and the third one about a case study with respect to the (security) challenges of a hybrid AD (by Raphael Rojas from STIHL). Continue reading “Active Directory Security Summit 2018 – Slides Online”

Continue reading
Events 2018: Back and forth with the ERNW Crew

If a conference feels like a great vacation, then the organizers are doing it absolutely right! took place for the 14th time in Luxembourg. From the 16th – 18th October, the Alvisse Parc Hotel hosted the conference. Those three days were full of talks, workshops and “discussions about computer security, privacy, information technology and its cultural/technical implication on society“. Some members of the ERNW crew had the chance to attend this year and we all enjoyed it a lot!

Continue reading “ 2018: Back and forth with the ERNW Crew”

Continue reading
Events 2018: Fuzzing Workshop by René Freingruber

I was at the conference in Luxembourg this year and attended the fuzzing workshop, held by René Freingruber from SEC Consult. I have been curious about this topic for some years now, but besides doing some manual fuzzing and web-fuzzing, I never looked into the whole topic that much.

The workshop lasted for around four hours. Before the workshop started each student got two VMs (Linux/Windows) where everything necessary was already set up. The VMs included 23 exercises, with step-by-step explanations, source code and exploits. René started out with an introduction to fuzzing, listing popular fuzzers and showing an example on how to fuzz with afl.

Thereafter he explained the whole process of file format fuzzing, in a clear and easily adoptable manner. Examples were shown for Linux and Windows. The differences and difficulties as for fuzzing on Windows were explained. It was also shown how to find exploitable vulnerabilities from the previously acquired crashes.

After a short break René introduced DynamRIO and PIN. Both tools are used for dynamic instrumentation. Two demos of the tools were shown, followed by a real-world example where he fuzzed mimikatz, the all beloved password recovery tool. To avoid running mimikatz on the compromised host, one can just dump the process memory of lsass.exe and load it into mimikatz to get credentials. Any idea where this is heading? Exactly, file format fuzzing!

Mimikatz EIP control

eip=41414141, looks like IP control to me ;D. A detailed writeup can be found over here.

The rest of the workshop René explained and discussed the areas which influence the fuzzing results. These can be divided into mutators, detection rate, input filesize and fuzzer speed. Instead of going into much detail myself I will just refer to his slides, which cover the topic way better than if I try to break it down in a few sentences.

René showed a lot of practical examples, although unfortunately there was not enough time to finish all of them while attending the workshop. Quite some time was spent on how to speed up the whole fuzzing process. Still I think it would be nice if more time could be spent on the practical examples.

The first exercise to introduce fuzzing and afl had the following source code. This code was then compiled with afl-gcc to add the instrumentation code with the following command:
afl-gcc -o main_afl main.c

Additionally, input file(s) are needed, which in this case were created with the following command:
python -c ‘print “\x00″*100’ > inputs/input

Then the fuzzer can be started with the following command:
afl-fuzz -i inputs -o output — ./main_afl @@

The -i flag specifies a directory where the input files are located and the -o flag specifies a directory where the crash files should be stored. Now afl will run and fuzz the binary. For fuzzing a “real” (instrumented) binary, one would go through the following process:

  1. Generate input files or download them.
  2. Instrument the source code (if possible)
  3. Remove input files with same functionality
  4. Reduce file size of input files.
  5. Start fuzzing

Removing the input files which trigger the same functionality is done before reducing their file size. One might guess, that this should be done the other way around, but reducing the file size can take a long time and should therefore be executed on the reduced file set.

To summarize the overall workshop:

  • I got a good understanding of the topic, what tools to use and how the process of fuzzing works.
  • The workshop could easily have been a three days workshop.
  • The students got awesome resources to start out their fuzzing journey, the slides are very good as are the VMs/demos.

So, I finally started to fuzz some binaries and have great fun doing so! Thanks very much for the workshop, René.

Cheers, Simon

Slides and demos can be found here.

Continue reading

H2HC2018 – Attacking VMware NSX

Matthias and I had the pleasure to give a talk at the H2HC2018 in São Paulo, Brazil about attacking VMware NSX. The talk is an introduction to VMware NSX for security researchers, and it discusses possible attack vectors including the management, controlling, and data exchange planes. We demonstrated how to prepare a fuzzing and debugging setup for the ESXi kernel and the kernel modules. It should be noted that Olli was also supporting the research. Continue reading “H2HC2018 – Attacking VMware NSX”

Continue reading
Events 2018: ARM IoT Firmware Emulation Workshop by Saumil Udayan Shah

First day at Three of us kicked the conference off with the ARM IoT Firmware Emulation workshop by Saumil. The goal of this workshop was not so much to write exploits or to pwn boxes but to learn how to build a beneficial research environment by emulating the hardware of a Linux based IoT device to run its firmware in order to run analysis and tests.

Continue reading “ 2018: ARM IoT Firmware Emulation Workshop by Saumil Udayan Shah”

Continue reading

Incident Analysis and Digital Forensics Summit 2018, 14th of November of 2018

*This event will be held in German*

Inspiriert durch die erfolgreichen Round-Table-Diskussionen der Troopers-Konferenz freuen wir uns, Ihnen heute mit dem Incident Analysis and Digital Forensics Summit 2018, eine weitere Veranstaltung in einer Reihe zu Trend-Themen im Bereich der IT-Sicherheit vorzustellen.

Continue reading “Incident Analysis and Digital Forensics Summit 2018, 14th of November of 2018”

Continue reading

Active Directory Security Summit 2018, 13th. of November of 2018

I have the pleasure to announce the Active Directory Security Summit 2018 at 13th. of November of 2018. The summit covers current Active Directory security related topics such as challenging tasks of hybrid Active Directory operations as well as new security best practices and some ‘evergreens’ – Admin Tiering implementations (what about Exchange and DNS…??), ESAE operations etc. 😉 Continue reading “Active Directory Security Summit 2018, 13th. of November of 2018”

Continue reading

Diversity, Community, Blackhoodie

Gender equality in the Infosec world as a topic of discussion comes with a lot of heated arguments and differences in opinion.
So let me start with some disclaimers on the target audience for this post. If you are in the category who believes everything about gender is perfect in the infosec world, this post is not for you. If you are in the category who believes gender and bringing diversity is not your area of interest, then this post is not for you either. There are so many interesting problems that the world offers you. Climate change, poverty, diseases, unemployment, addiction, science problems and what not. Everybody has the freedom to choose their area of interest and contribute towards it. If you are in the category who thinks gender equality in infosec needs some attention and would like to explore more on the topic without prejudices, then this post may  be interesting to you. Continue reading “Diversity, Community, Blackhoodie”

Continue reading